Understanding Man in the Browser Attacks and Addressing the Problem

Overview: The losses attributed to financial fraud are alarming. The financial services industry has become a primary target of cyber attacks on a global scale and, in 2009 alone, suffered losses totaling $54 billion - an increase from $48 billion in 2008. Of equally grave concern to financial services institutions is the damage cybercrime can cause to reputation, along with customer churn, both of which can have a significant impact, and possibly devastating, effect to revenue.

While all types of cybercrime have been on the rise, there has been a sharp increase in financial fraud resulting from computers infected with malware. Malware typically targets desktop computers and relies on social engineering to induce unsuspecting home users to download and install malicious code on their computers.

One of the most dangerous types of malware for online banking and financial services are Man-in-the-Browser attacks. A Man-in-the- Browser attack occurs when malicious code infects an Internet browser. The code modifies actions performed by the computer user and, in some cases, is able to initiate actions independently of the user. When a user logs onto their bank account, using an infected Internet browser is enough to trigger illicit transactions that result in online theft.

This paper reviews Man-in-the-Browser attacks and discusses which security measures should be employed to prevent them.